Under Review

Status dead on ssl vpn service. Reason: half invalid SSP site2site client connection.

Hello Sophos team, 

Last week we had an issue with out xgs4500 and the ssl vpn being "status dead", after restarting it, because i needed to change dns values (#07293112 ). We tried some KB article and forum posts, were it stated that we need to regenerate the default appliance cert, but it didnt help.

After the sophos Support (thanks to Tyler Tomlin of the sophos team) pointed me to the right direction with the csc debug log, i found out that the debug refered to a forgotten site2site client SSLVPN connection, that we add there for testing purpose a month ago. After i disabled or deleted it, it was working again immediately, without doing a manual start. 

The output was like this (no other hints except this debug log):

DEBUG Mar 29 16:13:44Z [sslvpn:2699]: log_exec: Command: /bin/rm -rf /conf/sysfiles/openvpn/client/MYFORGOTTENsite2site/key
INFO Mar 29 16:13:44Z [sslvpn:2699]: csc_execve: Child exited with status 0
DEBUG Mar 29 16:13:44Z [sslvpn:2699]: log_exec: Command: /bin/mv /conf/sysfiles/openvpn/client/BMYFORGOTTENsite2site/certificate /conf/sysfiles/openvpn/client/MYFORGOTTENsite2site/MYFORGOTTENsite2site.certificate
ERROR Mar 29 16:13:44Z [sslvpn:2699]: csc_execve: Child exited with status 1

Please consider to extend the KB articles of ssl VPN troubleshooting, to check site2site connections that were applied, but somehow incorrect. Even better, maybe improve the sslvpn service in CLI and GUI to get a hint where the problem is.